Cloud Storage Privacy Policies: What It All Means – Cloudwards

Privacy in the cloud was a hot topic well before it became known that the U.S. government had partnered with some of the biggest names on the Internet to collect user data. Whether for hunting would-be terrorists or selling skivvies, data has value and somebody wants yours.

The problem with privacy is that as fascinating and important a topic as it might be, slogging through the thick soup of assurances and exceptions typical in most privacy policies is a good cure for insomnia. To help lessen the load, Cloudwards.net decided it was time to address the subject head on.

Read on to learn more about what to look for in a privacy policy and how much it all matters.

Dont mistake cloud privacy for cloud security. While good security can help ensure your privacy, security is more about preventing illegal access to your content. Privacy, on the other hand, is about restricting legal access: how the cloud provider can and cant use your data, and who they can and cant share it with.

A privacy policy, by definition, is an agreement by which the company holding your data must tell you what data gets collected and how it gets used. In general, such policies are considered standard practice if a company collecting the data has enough information to identify who you are. However, laws mandating these policies vary from country to country.

Since most cloud storage and backup companies are based in the United States, were going to focus our attention there.

Surprisingly (or not), the United States doesnt have a single federal law that states companies collecting data must have a privacy policy. However, based on a subset of federal, state and international laws, the FTC developed a best practice guideline for businesses to follow called the Fair Information Practice Principles (FIPPS).

There are five core principles businesses are encouraged to follow:

That last point might be a bit confusing. In a nutshell, while the FTC doesnt directly regulate privacy, should a company be caught violating its privacy policy by using your data in a way that it said it wouldnt, you can sue them and the government can fine them.

Of course, remember that technically FIPPS are guidelines, not law. At the same time, FIPPS, while not legally binding itself, is based on a broad set of laws that include:

These laws give you an avenue to seek redress if your information is used improperly. All of this is to say that you can generally take a privacy policy at its word. So, thats step one.

Any good cloud storage or backup privacy policy is going to tell you:

To illustrate with a policy that hits all of these points, were going to use Carbonite (read our Carbonite review for more information), a backup provider, as an example. While not without its moments, the Carbonite privacy policy provides one of the friendlier reads of any privacy policy weve analyzed. Any policy that doesnt take seven shots of espresso and a law degree to interpret is okay in our book.

Following a quick introduction affirming its respect for user privacy and establishing that it wont use your data for any other means thats described in the policy, Carbonite launches a rundown of the points listed above. The policy tends to go back and forth a bit, so to keep things simple weve extracted the relevant parts for you.

No surprise, Carbonite collects information like your name, address and email. If you sign up for the service, it also includes your billing information. Carbonite also monitors your website visits and pulls some information from your device. This includes the usual tracking cookies and logging your IP addresses, browser type, browser language and activity dates.

As a backup service, Carbonite also collects file system information from your computer. This includes:

And of course, it stores your data, too, which gets kept in secured data centers.

Carbonite labels the information it collects as either account information (name, billing information, etc.) and diagnostic information (IP address, file system information, etc.). The purpose of account information is primarily for identification and billing. It would be hard to run a subscription service without it. Diagnostic information is used several things. In part, thats analytics and customer support. Having your device information helps Carbonite better help you.

However, its also used for marketing. Carbonite doesnt state what specific marketing purposes it has in mind. At the very least, youre going to start seeing Carbonite ads pop up around the Internet.

On top of that, Carbonite gives itself leeway to share your information with third parties, whether for analytics, management, support or marketing:

Carbonite may also use Your Account Information and Diagnostic Information, and share such information with contracted third parties that perform functions on Carbonites behalf and under Carbonites instruction, in order to perform analytics and assist with customer support, account management, and our marketing efforts.

Carbonite does affirm that any third parties your information is shared with must abide by the terms in its privacy policy. Such statements should be standard practice. If a service doesnt explicitly make that connection, stay away, although no examples come to mind.

As far as your files content itself, Carbonite states that its employees will not view the contents of Your encrypted stored data, which is hosted within the United States and/or internationally with third-party cloud storage providers, without Your consent (sic).

That said, there is one big exception to this, which are legal matters: Carbonite may disclose Your information if such action is necessary to comply with applicable law or to enforce Carbonites Terms of Service (sic). So, if the government comes calling with a warrant or Carbonite decides to sue you for breaching its services terms, all bets are off.

Collecting information for billing and support is a necessary part of providing a subscription service like cloud backup. Collecting information for marketing is not.

People can have varying attitudes towards targeting online marketing that uses their personal information. For some, its a way of discovering products they might be interested in. For others, its an invasion of privacy. In fact, numbers from a Pew Research study indicated that 28 percent of Americans have used the Internet in some way to block or avoid advertisers.

If youre anti-marketing, the good news is that Carbonite follows suggestion two of the FIPPS by giving you the ability to opt out of having your information used for that purpose. There are a few different ways you can do this, but the easiest is to just email privacy@carbonite.com. If you dont, the company assumes youre fine with it.

Additionally, as Carbonite notes in its privacy policy, you can set your browser to reject cookies in order to curb targeted marketing.

Carbonite takes an additional step in protecting user privacy by complying with two privacy shield frameworks designed to secure transatlantic data transfers: the EU-U.S. Privacy Shield Framework and the U.S.-Swiss Safe Harbor Framework.

These two protocols were created by the the U.S. Department of Commerce, the European Commission and the Swiss Administration to give companies guidance on how to protect the personal information of their users, plus some safeguards against the U.S. improperly using data and routes for legal action in case of violations.

Both frameworks are completely voluntary. Both are also relatively new, with the EU-U.S. agreement receiving approval in July, 2016 and the Swiss-U.S. agreement in January, 2017. Adherence relies on self-regulation on the part of the company. It also requires a public statement in the companys privacy policy that it agrees to the frameworks terms.

Once a company joins, commitment is enforceable by law. Given that the joining is voluntary and subjects the joining company to additional legal trouble once joined, finding a statement of adherence makes for a welcome indication of a U.S.-based company stance on user privacy.

You can check if your cloud storage or backup provider has been certified in either framework by visiting the U.S. Department of Commerces Safe Harbor website:

Privacy policies are legally binding, which is important to understand. True, such privacy laws in the U.S. havent been enough to hinder government surveillance programs, but in most cases you can rest somewhat easy that your information isnt going to be used in ways you dont want it to be, especially if you opt out of marketing.

That said, the law can be a tricky thing and doesnt always favor the consumer over the corporation. Given that, the best rule of thumb is for private citizens to take control of their own privacy.VPN services are a good first step. They can be used to spoof your IP address and location to counter targeted marketing, government surveillance and hacking activities. There are many great VPN options for consumers out there, which you can read more about in our 2017 guide to finding the best VPN.

If cloud-stored metadata and file content is a concern, consider a zero-knowledge provider. Such providers let you create your own encryption key that only you know. Without access to that key, the company holding your content cant decrypt it, even if men in black suits come knocking.

Carbonite, in case you were wondering, does let you set up your own private encryption key.

Many other Cloudwards.net online backup favorites, including IDrive, Backblaze and CrashPlan, do too. As far as cloud storage, our article on the best zero-knowledge cloud storage services will give you some nice alternatives to services that arent zero-knowledge, like Dropbox, Google Drive and OneDrive.

Other steps you can take include:

Combined with making sure the privacy policy of the cloud service you choose hits all the right points, these steps should help ensure your private information stays that way.

Sign up for our newsletter to get the latest on new releases and more.

Have some privacy concerns of your own? Let us know in the comments below. Thanks for reading.